Browsers have different security holes
The data tainting security model
Netscape Navigator 3 introduced the short-lived concept of data tainting. When enabled, data tainting allowed one browser window to see the properties of another window regardless of what server the window was loaded from. The author of the second page needed to mark which properties where tainted and therefore could not be passed on to a server. Although it was an interesting idea, it required defensive coding, and the client had to enable data tainting.
You can’t get there from here
Same origin policy
A script is permitted to read and alter the properties only of documents that have the same origin. This same origin policy also covers both the port and the protocol. So if a script’s origin port is 80 and the protocol is HTTP, switching to port 21 and FTP is not permitted. The logic behind this restriction is to prevent theft of information. Let’s say that I’m a bad guy. If the origin restriction didn’t exist, as long as my script was running, I could take any information entered in another browser window and send it to my Web site using XMLHTTP or another method. Of course, most of the information would be useless, but occasionally I would strike gold and get a credit card number. Talk about your data mining!
The origin security restriction applies not only to documents but also to the browser’s cookie collection. This prevents the bad guy from copying cookies that identify an online shopper to the shopper’s own browser and thus become, in the eyes of the shopping site, that shopper.
Enabling a nice shopping spree–with no pesky bills
With most policies, there are exceptions, and that’s true of the same origin policy. The policy doesn’t apply to a script with the UniversalBrowserRead privilege. Scripts with this privilege are allowed to read properties of documents with a different origin. The UniversalBrowserWrite privilege permits scripts to write properties. The ability to read and write properties with a different origin can be obtained through the use of both privileges or through the use of the UniversalBrowserAccess privilege.
Zones and signed scripts
No more growing pains